It’s rabbit season – BadRabbit, that is, the bastard spawn of ransomware Petya/NotPetya that was just discovered on Monday, and has since hopped its way around the world, taking down servers in Russia and Ukraine before moving onto Turkey, Asia, and the United States. What’s different in this attack is that BadRabbit abuses DiskCryptor, a perfectly legitimate application for disk encryption (and thus exempt from security checks by anti-virus software, sandboxes, etc.; and in addition it has the ability to hide its capabilities when it passes through a sandbox), to cut off user access to Windows Office, image, video, audio, email and archive files – which can only be “redeemed” with the payment of ransom.
According to those who have seen it in action, BadRabbit gets installed on a system when a victim runs a phony Adobe Flash Player installer posted on a hacked website. Upon infection, the malware drops a DLL and executes it using rundll32.exe. This DLL, the main module of BadRabbit, is in charge of several tasks including: Dropping further elements in the form of another DLL and executable, scanning the LAN to propagate further attacks, and setting up scheduled tasks that will run the dropped executable (one of those tasks is called apparently a reference to a skin disease featured on Game of Thrones – so we know what the propagators of this attack are watching on TV).
Once all files have been encrypted, BadRabbit installs a bootlocker and a system shutdown is scheduled – with the reboot defaulting to a ransom message, demanding the payment of .05 bitcoin (about $275 at today’s exchange rate) for the unlock code. As the price point here is pretty low, the hackers are banking on the vast majority of victims paying up – a very likely eventuality, as some 70% of ransomware victims eventually pay up, according to a report by IBM (of those, more than half paid $10,000 or more in ransom to free up their data, so paying $275 is certainly a no brainer for most victims).
The encryption itself is very professionally done, with a strong encryption algorithm, and the encrypted files contain no visible patterns. When the ransom is paid, the victim gets a key to release the bootlocker and actually get to the hard drive. A second key unlocks the files. In a way, it’s a bizarre twist on two factor authentication – relying on the likelihood that victims won’t even try to liberate their files on their own if there are multiple roadblocks in their way. The whole operation – the professional design and approach to the encryption (a relatively sophisticated “customer service” group needs to be in place to support the decryption process, which entails numerous technical steps) indicates that the group behind BadRabbit is very professional.
We call BadRabbit the “bastard spawn” of Petya/NotPetya because it has some similarities – and dissimilarities – to that overwhelmingly successful attack. Like its “daddy,” BadRabbit encrypts files on the infected machine and demands a ransom, utilizing an additional bootlocker to lock the machine until the ransom has been paid. It is also capable of moving laterally using SMB in order to infect other machines in the organization. And, the BadRabbit bootlocker, as well as the kernel modules used, appear very similar to the one used in Petya/NotPetya.
Regardless of the bloodline running from Petya/NotPetya to BadRabbit, as well as the true motives of its authors, it appears that its authors have put in some hard work into it, and have done their homework, learning from previous mistakes. In addition, they have come up with some interesting twists, such as using a legitimate encryption application to sneak past conventional end-point solutions. Further research will no doubt shed more details on this latest threat to cybersecurity.